Azure Firewall – Hub and Spoke UDR configuration

I was recently working with a Hub and Spoke VNet design that was connected to on-premises through ExpressRoute. The goal is to use the Azure FW within the Hub VNet to provide centralised firewall control between the on-premises network, hub and spoke VNets.

To set up this scenario you have to create UDRs on the GatewaySubnet for any address space that you want through the Azure Firewall from on-premises. Important to note is that you cannot define a Default Route 0.0.0.0/0 on a UDR that is assigned to the GatewaySubnet. Doing so will break your network connectivity as there are certain routes that the GatewaySubnet requires to function with the Azure platform.

For example, our Spoke VNet address space is 172.17.0.0/16, we could add this address space to a UDR and then assign the next hop to the Azure FW (172.16.0.4). This will force all on-premises traffic to route through the Azure FW.

The next step is to create the UDR on the Spoke VNet to direct to the Azure FW. In this scenario it is supported to create a Default Route on the UDR (0.0.0.0/0) and point to Next Hop type Virtual Appliance and the Azure FW IP 172.16.0.4.

After all of this was set up, I create a basic allow all rule for internal traffic to test that everything was flowing nicely through the Azure FW. I tested with a ping and everything looked good:

However, when I tried to RDP to the VM in the Spoke VNet I got a strange behaviour. The standard establishing connection dialogue would appear but then it would hang, and an error was presented “An Internal error has occurred”.

After a bit of playing around, it turns out that you have to Disable BGP route propagation on the UDR that is assigned to the spoke VNet. After doing this, I was able to log onto the VM fine.

Reading through the following article https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps , Microsoft do detail that you must Disable BGP Route propagation on the Spoke UDR. Why exactly, is not exactly clear but seems as though some asymmetric routing may occur under certain circumstances if you do not disable it. It is interesting that basic ping connectivity seems fine, and it will only fail when attempting to RDP.

Below is a quick network diagram showing the UDR that is required on the Spoke VNet.